Senator Richard Blumenthal, a staunch consumer privacy advocate, has said that Epsilon should be notifying every consumer whose data were involved in the recent humongous breach. You can read his entire letter to Attorney General Eric Holder requesting an investigation on his web site, but here’s part of what he wrote:
I believe that immediate notification to all customers is vital to protect them – and enable them to protect themselves – from identity theft.
[…]
I believe that affected individuals should be notified and provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Epsilon or its affected clients. I believe it is also necessary to provide every affected individual with sufficient insurance to protect them against possible financial consequences of identity theft.
Who Should Send Us the Notifications?
Should Epsilon be sending us the notifications – as Senator Blumenthal’s letter would seem to suggest – or should the company who gave our data to them be sending us the notifications?
If you have an account with a store and got a branded credit card through World Financial Network National Bank (WFNNB), WFNNB sent you the notification and apology email. They told you that their email was about [name of store where you have an account], but it was their email to you – not the store’s.
So you got the important information to be alert to phishing attempts, but you probably didn’t hear from the store. Are you okay with that? It was WFNNB who had the contract with Epsilon (or so it seems from their notification email text), but whom do you feel you have the relationship with – the store or WFNNB?
Who owes you the apology as well as the information?
And who should be accountable for this? The store or WFNNB – or both?
You trusted the store. They trusted WFNNB. WFNNB trusted Epsilon. But it all started with consumer trust in the store. And I think we need to hold the stores (or hotels or financial institutions) accountable if they want to keep our trust and our business. For that reason, I’ve been including all of their names in the running list of affected entities even though most other sites keeping tabs have not taken this approach and might just list WFNNB.
I’d also point out that on practical and safety levels, even if we had gotten an email from Epsilon (as the Senator urges), would most of us have even opened it, much less believed it – or would we have just looked at the subject line and deleted it as probably spam or a phishing attempt?
What do you think? You can sound off in the Comments section.